Story updated 5-June-2011: Information on the SonyPictures.RU attack can be found at the end of the post.

By my count this is unlucky hack number 13 for Sony. A Lebanese hacker known as Idahc dumped another user database at Sony Europe containing approximately 120 usernames, passwords (plain text), mobile phone numbers, work emails and website addresses.

The attacker claims that he used standard SQL injection techniques to acquire the database. I think it is fair to say it appears that Sony has not learned anything from the previous 12 attacks.

Idahc is the same attacker who targeted the Canadian Sony Ericsson site in May, 2011. In his note on pastebin he states: "I was Bored and I play the game of the year : 'hacker vs Sony'." He posted the link to pastebin with the simple note "Sony Hacked: pastebin.com/OMITTED lol."

If you are a database administrator (especially a Sony one) and want to avoid your sensitive data from ending up in the headlines I recommend you actually test your web applications for SQL vulnerabilities.

A great resource with detailed information on how to protect against SQL injection attacks is available at codeproject.com.

Update: In addition to the attack detailed above, the hacking group known as LulzSec has compromised SonyPictures.RU through another SQL injection flaw. No personal information was disclosed in the attack; it appears to have been designed just to continue to point out security flaws in Sony's infrastructure to create PR problems for the media giant. In the note, LulzSec left a message: "In Soviet Russia, SQL injects you..."

"SonyPictures.com was owned by a very simple SQL injection, one of the most primitive and common vulnerabilities, as we should all know by now. From a single injection, we accessed EVERYTHING. Why do you put such faith in a company that allows itself to become open to these simple attacks?"

This sounds like a broken record... Passwords and sensitive user details stored in plain text... Attackers using "a very simple SQL injection" to compromise a major media conglomerate.

Worst of all the hackers are exposing over a million people to having their accounts compromised and identities stolen simply to make a political point.

The take away for the average internet users is clear. Don't trust that your password is being securely stored and be sure to use a unique password for every website to limit your exposure if hacks like these occur.

I took a brief look at some of the information disclosed and many passwords used were things like "faithful", "hockey", "123456", "freddie", "123qaz" and "michael".

Companies collecting information from their customers have a duty to protect that information as well.

In addition to employing proper encryption to protect against theft or loss, companies should work with reputable penetration testers to validate their security plans.

Paul Ducklin joined me from Sydney this week as we both returned home from a long and rewarding trip to InfoSec Europe.

While the news has been dominated by the recent attack on Sony Computer Entertainment, we started off talking about the actions the US government took against the Coreflood botnet. The news was largely positive, but it does allow broadened powers for the police that include actions some feel could further harm the victims.

When the topic of DSLReports, Sony and other data leakage incidents came up, our conclusions were ultimately in alignment. While these incidents are important and may draw our attention to the problem, these losses are only a small part of what Paul likes to call the "death of a million cuts."

On the topic of the supposed "Stars" virus, which Iran claims is a second stage Stuxnet virus, the conclusion was the same. Even if this "Stars" virus is real, and is a concern for Iran, in the meantime the rest of us are being hit with a barrage of cyber-crap that is having real impact on our lives.

No story is complete without some comment on Facebook and Chet Chat 58 is no exception. Aside from the usual list of attacks and scams, it appears that their DMCA takedown process and other pieces of their self-defense mechanisms are easily manipulated. Ars Technica's Facebook page was arbitrarily deleted this week based on a DMCA claim that no one has yet been able to explain.

1. Sony, like any company who keeps customer account details, is responsible for keeping this sensitive data safe.

So the question is, How could these details, potentially including credit card details, of a whopping 70 million users not be encrypted? It baffles the mind.

Perhaps the data was indeed encrypted, but if it was, how come Sony haven't stated this?

Let's say I accidentally leave my front door ajar, leave the house for a few days, and return to find that I was robbed. People will say I am a bit of an dodo brain, but I will still get sympathy from friends and family and we will all blame the thief.

But, if I convince all my friends and family to trust me with their prized possessions, pile their valuables on my coffee table, and then leave the front door open, I doubt they will be very supportive when I meekly approach them saying, "whoopsie - someone took them. These things happen, right?"

So it is no wonder that so many people are annoyed. They have a right to be.

2. What the F*** happened at PSN?

Having read Sony's statement, they thank their "valued" customers for patience/goodwill/understanding (annoying in itself since I doubt many feel patient, generous or understanding). They also tell you to be wary of scams, which is all well and good.

But they don't tell us what happened.

I really REALLY want Sony to stand up and explain how the company screwed up, how the bad guys got into their system, why the data wasn't properly stored: a clear and concise explanation and, where appropriate, a straight-up apology for their oversights/misplaced bets/mistakes/etc

(Shall we place a bet on whether an APT was responsible? - sorry, couldn't help it...)

It won't get your data back, but at least we'll all have some idea of how this happened. And it might do wonders to repair the trust issues it is bound to face with its stakeholders. More importantly, it will help other companies learn from Sony's mistakes.

True, it can take some time to sort through all the bits and bobs before you provide a detailed explanation. But Sony set a rather slooooooow pace by waiting a week between its first announcement and yesterday's statement.

Users of Sony's PlayStation Network are at risk of identity theft after hackers broke into the system, and accessed the personal information of videogame players.

The implications of the hack, which resulted in the service being offline since last week, are only now becoming clear as Sony has confirmed that the hackers, who broke into the system between April 17th and April 19th, were able to access the personal data of online gamers.

In a blog post, Sony warns that hackers have been able to access a variety of personal information belonging to users including:

In addition, Sony warns that profile information - such as your history of past purchases and billing address, as well as the "secret answers" you may have given Sony for password security may also have been obtained.

As if that wasn't bad enough, Sony admits that it cannot rule out the possibility that credit card information may also have been compromised:

While there is no evidence at this time that credit card data was taken, we cannot rule out the possibility. If you have provided your credit card data through PlayStation Network or Qriocity, out of an abundance of caution we are advising you that your credit card number (excluding security code) and expiration date may have been obtained.

The fact that credit card details, used on the network to buy games, movies and music, may also have been stolen is obviously very worrying, and affected users would be wise to keep a keen eye on their credit card statements for unexpected transactions. Questions clearly have to be asked as to whether Sony was ignorant of PCI data security standards and storing this and other personal data in an unencrypted format.

So how could hackers exploit the information stolen from the Sony PlayStation Network?

1. Break into your other online accounts. We know that many people use the same password on multiple websites. So if your password was stolen from the Sony PlayStation Network, it could then be used to unlock many other online accounts - and potentially cause a bigger problem for you.

Oh, and you better be sure that you have changed your "secret answers" too.

2. Email you phishing scams or malware attacks. If they stole your email address from Sony, they can now email you. And it wouldn't be difficult for the cybercriminals to create an email which pretended to be a legitimate organisation (perhaps Sony themselves?) to steal more information or carried a Trojan horse designed to infect your computer. The fact that they know your name and snail-mail address could make the email even more convincing.

3. Hit you in the wallet. If your credit card details have been exposed by the Sony PlayStation Network hack then you could find fraudsters begin to make purchases from your account - if you notice that money is missing, you'll have to go through the rigmarole of claiming the money back from your credit card company.

This security breach is not just a public relations disaster for Sony, it's a very real danger for its many users.

If you're a user of Sony's PlayStation Network now isn't the time to sit back on your sofa and do nothing. You need to act now to minimise the chances that your identity and bank account becomes a casualty following this hack.

That means, changing your passwords, auditing your other accounts, and considering whether you should keep a closer eye on those credit card statements or simply telling your bank that as far as you're concerned the card is now compromised.

Should you cancel your credit card?

Look at it this way.

If I lost my credit card in the back of a taxi I would cancel my card. I wouldn't wait for a fraudster to sting it for cash. If Sony has lost your credit card details then it's worse as the credit card information is now being held digitally, right in the hands of people best placed to exploit it.